The first “mother may I” exploit was MS06-014. The second demo I did was the more interesting MS10-002, a heap spray used in the Aurora attacks. Symantec has a good writeup. If you actually want to play with either of these, you’ll find them both in Metasploit. You should have little trouble duplicating the demos on XP virtual machines with IE6, and with a little websearching you can probably find a version of the MS10-002 exploit that will work on Vista and IE7 machines.

The small reversing demo with the serial number checking program was from crackmes.de. Grab a copy of OllyDbg and start poking around.